<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Mar 3, 2015, at 8:55 AM, Topi Miettinen <<a href="mailto:toiwoton@gmail.com" class="">toiwoton@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">On 03/03/15 01:28, Jay Faulkner wrote:<br class="">
<blockquote type="cite" class="">Hey,<br class="">
<br class="">
Lennart reviewed this in IRC and suggested I refactor the change in this<br class="">
manner. Now, we have an array of capability:sys call pairs, and iterate<br class="">
through that and then only add the seccomp filter if the capability<br class="">
doesn’t exist.<br class="">
<br class="">
The new patch is attached, and available<br class="">
here: <a href="https://github.com/jayofdoom/systemd/pull/5.patch" class="">https://github.com/jayofdoom/systemd/pull/5.patch</a>.
<br class="">
</blockquote>
<br class="">
+typedef struct CapSeccompPair {<br class="">
+        uint64_t capability;<br class="">
+        int scmp_syscall_num;<br class="">
+} CapSeccompPair;<br class="">
...<br class="">
+        static const CapSeccompPair blacklist[] = {<br class="">
+                { SCMP_SYS(iopl), CAP_SYS_RAWIO },<br class="">
<br class="">
The fields are swapped.<br class="">
<br class="">
-Topi<br class="">
<br class="">
</div>
</blockquote>
</div>
<br class="">
<div class="">Thanks for the review! I’ve corrected the issue, and have the new patch attached and available here: <a href="https://github.com/jayofdoom/systemd/pull/5.patch" class="">https://github.com/jayofdoom/systemd/pull/5.patch</a>.</div>
<div class=""><br class="">
</div>
<div class="">-Jay Faulkner</div>
<div class=""><br class="">
</div>
<div class=""></div>
</body>
</html>